Skip to main content

Data Processing Agreement

Effective: 21 April 2026|
v2.0
Download PDF
Also available in:Turkish (TR)

Data Processing Agreement

Version 2.0  |  Effective date: 21 April 2026

This Data Processing Agreement (“DPA”) is entered into between SummitBridge Horizon Ltd, Companies House No. 16419201, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ (the “Processor”, “we”, “us”) and the Customer identified in the applicable Order (the “Controller”, “you”). It forms part of the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller.

This DPA is entered into under and complies with UK GDPR, EU GDPR, the Data Protection Act 2018, PECR, and the Data (Use and Access) Act 2025.

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).
  • Processing — any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
  • Data Subject — the identified or identifiable natural person to whom the personal data relates.
  • Sub-processor — any third party engaged by the Processor to process personal data on behalf of the Controller.
  • Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • DUA Act 2025 — the Data (Use and Access) Act 2025, in force from 5 February 2026.

2. Scope of Processing

The Processor shall process personal data only as necessary to provide the Services, which may include:

  • AI-powered business intelligence and analytics (BusinessOS, CofferMindIQ, CyberIntel, StatuteForgeIQ).
  • AI-assisted recruitment and candidate management (HumanBaseIQ).
  • Customer-relationship management and support.
  • Payment processing and billing.
  • Email communications (transactional and consented marketing).
  • Cybersecurity monitoring, phishing-simulation training, and vulnerability scanning.

Categories of data subjects: Controller employees, end users, job candidates (HumanBaseIQ), business contacts, and individuals featured in documents submitted to the Services.

Types of personal data: names, email addresses, job titles, company information, usage data, CV and assessment data (HumanBaseIQ), interview recordings (HumanBaseIQ, with explicit consent), assessment scores, support correspondence, and related identifiers.

3. Processing Instructions

3.1 The Processor shall process personal data only on the Controller’s documented instructions, unless required to process by law, in which case the Processor shall notify the Controller first where legally permitted.

3.2 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes UK GDPR, EU GDPR, the DUA Act 2025, or any other applicable data-protection law.

3.3 The Controller instructs the Processor to process personal data for the purposes described in the Terms of Service and this DPA.

3.4 Both parties agree to facilitate Smart Data requests and approved data-intermediary arrangements under the DUA Act 2025.

4. Confidentiality

The Processor ensures that personnel authorised to process the Controller’s personal data are bound by written confidentiality obligations or under an appropriate statutory duty of confidentiality.

5. Security Measures

The Processor implements technical and organisational measures appropriate to the risk, including:

  • TLS 1.2+ encryption in transit.
  • AES-256 encryption at rest for sensitive data stores and backups.
  • Application-level field encryption for regulated data; keys held outside the application database.
  • Role-based access control and least-privilege principles.
  • Multi-factor authentication for administrative access.
  • Regular security assessments, penetration testing, and dependency audits.
  • Secure development practices aligned to OWASP Top 10.
  • Automated vulnerability scanning and patching.
  • A tested incident-response plan (see the Incident Response Policy).
  • Annual staff training on data protection and security.
  • Physical security at the data-centre locations used by sub-processors.

6. Sub-processors

6.1 The Controller provides general authorisation for the Processor to engage sub-processors subject to the conditions in this section.

6.2 The current list of authorised sub-processors is maintained at /legal/sub-processors and is authoritative. As of the effective date of this DPA the list is:

Sub-processorPurposeLocationTransfer Safeguard
Hostinger International LtdVPS infrastructure, platform and agent hostingGermany (EU)Article 28 DPA + EU data residency
Anthropic PBCAI language-model inference (no raw PII used as model input)United StatesUK IDTA + EU SCCs + minimisation and pseudonymisation
Stripe Payments Europe LtdPayment processing and subscription billingIreland / United StatesPCI DSS Level 1 + EU SCCs
Wise Payments LtdMulti-currency business banking (GBP / USD / EUR invoicing)United Kingdom / BelgiumFCA-regulated (UK) + ECB-authorised (EU)
Resend, Inc.Transactional and consented marketing email deliveryUnited StatesEU SCCs + signed DPA
Cloudflare, Inc.CDN, DNS, DDoS protection, Web Application FirewallGlobal edge with EU/UK presenceUK IDTA + EU SCCs + ISO 27001
Telegram FZ-LLCInternal operational alerts to the Director only — no customer PII transmittedUnited Arab EmiratesInternal use only; customer personal data is not sent

6.3 The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller an opportunity to object on reasonable data-protection grounds.

6.4 If the Controller objects and the parties cannot reach a resolution within 30 days, the Controller may terminate the affected Service without penalty.

6.5 The Processor requires each sub-processor to be bound by obligations no less protective than those in this DPA and remains fully liable to the Controller for each sub-processor’s performance.

7. Data Subject Rights

7.1 The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under UK GDPR, EU GDPR, and the DUA Act 2025, including: access, rectification, erasure, restriction, portability, objection, rights under UK GDPR Article 22, the Smart Data Right, and rights to use approved data intermediaries.

7.2 The Processor shall respond to Controller requests for assistance within 5 business days, or sooner where the applicable statutory deadline requires it.

7.3 If a data subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller unless legally required to respond directly.

8. Data Breach Notification

8.1 The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal-data breach affecting the Controller’s data. This supports the Controller’s statutory 72-hour notification obligation to the ICO.

8.2 The notification shall include: the nature of the breach, categories and approximate numbers of data subjects and records affected, contact details for the Processor’s point of contact, likely consequences, and measures taken or proposed.

8.3 The Processor shall cooperate with the Controller and take reasonable steps to investigate, mitigate, and remediate each breach, and shall maintain a register of all breaches and remedial actions taken.

9. Audit Rights

9.1 The Processor shall make available all information necessary to demonstrate compliance with this DPA and applicable data-protection laws.

9.2 The Processor shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

9.3 Audits require at least 30 days’ prior written notice, take place during normal business hours, and shall not unreasonably interfere with the Processor’s operations.

9.4 The Processor may satisfy audit requests by providing an up-to-date SOC 2 Type II report, ISO 27001 certification (where obtained), results of independent third-party audits, or completed industry security questionnaires.

10. International Transfers

10.1 The Processor shall not transfer personal data outside the United Kingdom or the European Economic Area without appropriate safeguards in place.

10.2 For transfers to the United States or other third countries, the Processor relies on UK International Data Transfer Agreements (IDTAs), the UK Addendum to the EU SCCs, EU Standard Contractual Clauses, adequacy decisions where available (including the UK/EU-US Data Privacy Framework for participating US processors), and supplementary measures (encryption, pseudonymisation, minimisation) where required by Transfer Impact Assessment.

10.3 Primary processing location: Hostinger servers in Germany (EU). Specific sub-processor locations are set out in section 6.2 and at /legal/sub-processors.

11. AI Processing

11.1 Where the Processor uses AI models (including Anthropic’s Claude family) to deliver the Services, the Processor applies minimisation and pseudonymisation so that raw personal data is not used as model input except where strictly necessary and lawful.

11.2 The Processor does not use Controller personal data to train third-party models and does not permit sub-processors to do so.

11.3 For high-risk AI systems (HumanBaseIQ), the Processor supports the Controller’s deployer obligations under the EU AI Act with documentation, logs, and bias-audit outputs as appropriate.

12. Termination and Data Return

12.1 On termination of the Services or this DPA, the Processor shall, at the Controller’s choice, return all personal data to the Controller in a structured, commonly used, machine-readable format, or securely delete all personal data and confirm deletion in writing.

12.2 The Controller must elect within 30 days of termination. Absent an election, the Processor shall securely delete the data.

12.3 The Processor may retain personal data to the extent required by applicable law (for example HMRC financial-record retention of 7 years), provided such data remains protected under this DPA.

12.4 Data export is provided in JSON or CSV, compatible with the Smart Data Right under the DUA Act 2025.

13. Liability

13.1 Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13.2 Nothing in this DPA limits either party’s liability for breaches of data-protection law to the extent such limitation is not permitted by applicable law.

14. General Provisions

14.1 This DPA is governed by the laws of England and Wales.

14.2 In the event of a conflict between this DPA and the Terms of Service, this DPA prevails in respect of data-protection matters.

14.3 The Processor may update this DPA to reflect changes in applicable law. Material changes are notified with at least 30 days’ notice and, where required, trigger re-acceptance.

14.4 DPA queries: [email protected]

Related Documents

  • Privacy Policy
  • Terms of Service
  • Sub-processors List
  • Information Security Policy
  • Incident Response Policy
  • Data Retention Policy

Version 2.0 — effective 21 April 2026.

This document is maintained by SummitBridge Horizon Ltd (Companies House: 16419201). For questions, contact [email protected].